The Identity Theft Protection Act The Identity Theft Protection Act of 2005of 2005
Kim D’Arruda
Roy CooperRoy CooperAttorney Attorney GeneralGeneral
ID Theft Protection Act of 2005:ID Theft Protection Act of 2005:Statutory OverviewStatutory Overview
Social Security Number ProtectionSocial Security Number Protection Security FreezeSecurity Freeze Document DestructionDocument Destruction Security BreachSecurity Breach
www.noscamnc.gov
Social Security Number Social Security Number ProtectionProtection
Statutes dictate collection of SSNsStatutes dictate collection of SSNs By businessesBy businesses By governmentBy government
Practical considerations:Practical considerations: Don’t carry your SS card with youDon’t carry your SS card with you Don’t carry a Medicare card with youDon’t carry a Medicare card with you
Request free credit report Request free credit report
www.noscamnc.gov
Security FreezeSecurity Freeze What is it?What is it?
How to place it?How to place it?
How to remove it?How to remove it?
What does it cost?What does it cost?
www.noscamnc.gov
Hypothetical 1Hypothetical 1 your business is running out of room your business is running out of room
for old records (some of which contain for old records (some of which contain personal info of personal info of employees/customers)employees/customers)
you determine which records can be you determine which records can be disposed of legallydisposed of legally
. . . . . .
www.noscamnc.gov
a)a)
. . .. . .
there are recycling bins in the there are recycling bins in the parking lot and the recycling is parking lot and the recycling is picked up every Friday eveningpicked up every Friday evening
you place your old files in the recycle you place your old files in the recycle bin one Friday at lunch time before bin one Friday at lunch time before heading to the beach/mountains for heading to the beach/mountains for the weekend . . .the weekend . . .
www.noscamnc.gov
b)b)
. . . . . .
you throw the old files into your trash you throw the old files into your trash can to be picked up by the cleaning can to be picked up by the cleaning crew that night . . .crew that night . . .
www.noscamnc.gov
c)c)
. . . . . .
you decide to take your old files to you decide to take your old files to the landfill and dump them . . .the landfill and dump them . . .
www.noscamnc.gov
Hypothetical 2Hypothetical 2 an employee of your company took a an employee of your company took a
laptop home and it was stolen out of laptop home and it was stolen out of his carhis car
personal info of more than 1000 personal info of more than 1000 customers was on laptopcustomers was on laptop
laptop was password protectedlaptop was password protected 2 days later, the laptop was retrieved2 days later, the laptop was retrieved it doesn’t appear that the information it doesn’t appear that the information
on the laptop was accessed . . .on the laptop was accessed . . .
www.noscamnc.gov
Reasonable Measures to Protect Reasonable Measures to Protect InformationInformation
Responsibility of Document Responsibility of Document Disposal CompanyDisposal Company
Exceptions Exceptions
Destruction of Personal Destruction of Personal InformationInformation
www.noscamnc.gov
Security BreachSecurity Breach Number of breaches AG’s Office has Number of breaches AG’s Office has
been notified about since Dec. 30, been notified about since Dec. 30, 2005?2005?
Number of NC residents impacted?Number of NC residents impacted?
**as of 11/14/06 -- only includes breaches/numbers **as of 11/14/06 -- only includes breaches/numbers reported to AG’s Office; does not include figures reported to AG’s Office; does not include figures from some breaches such as the VA Admin breachfrom some breaches such as the VA Admin breach
www.noscamnc.gov
6262
340,972340,972
Security Breach StatsSecurity Breach Stats
www.noscamnc.gov**as of 11/14/06 -- only includes breaches/numbers reported to AG’s Office**as of 11/14/06 -- only includes breaches/numbers reported to AG’s Office
Type of Breach Number %
Stolen Laptops, Computers & Equip 30 48.39%
Hackers/ Unauthorized Access 12 19.35%
Release/Display of Info 11 17.74%
Data Theft by Employee/Contractor 5 8.06%
Lost in Transit 2 3.23%
Phishing 2 3.23%
Total 62
www.noscamnc.gov**as of 11/14/06 -- only includes breaches/numbers reported to AG’s Office**as of 11/14/06 -- only includes breaches/numbers reported to AG’s Office
30
12 11 52 2
05
1015202530
Stol
enLa
ptop
s,Co
mpu
ters
&Eq
uip
Hack
ers/
Un
auth
oriz
edAc
cess
Rele
ase/
Disp
lay
ofIn
fo
Data
The
ft by
Empl
oyee
or
Cont
ract
or
Lost
inTr
ansi
t
Phis
hing
Number of Breaches
Security Breach StatsSecurity Breach Stats
www.noscamnc.gov**as of 11/14/06 -- only includes breaches/numbers reported to AG’s Office**as of 11/14/06 -- only includes breaches/numbers reported to AG’s Office
Type of Breach NC Residents %
Stolen Laptops, Computers & Equip 97,029 28.46%
Hackers/ Unauthorized Access 6,464 1.90%
Release/Display of Info 201,511 59.10%
Data Theft by Employee/Contractor 7,570 2.22%
Lost in Transit 28,382 8.32%
Phishing 16 0.00%
Total 340,972
Security Breach StatsSecurity Breach Stats
www.noscamnc.gov**as of 11/14/06 -- only includes breaches/numbers reported to AG’s Office**as of 11/14/06 -- only includes breaches/numbers reported to AG’s Office
Type of Entity Number %
Financial Services/ Insurance 36 58.06%
General Business 18 29.03%
Healthcare 5 8.06%
Government 3 4.84%
Educational 0 0.00%
Total 62
Security BreachSecurity Breach General ProvisionsGeneral Provisions What is a Security Breach?What is a Security Breach? Who must notify?Who must notify? Notification RequirementsNotification Requirements Additional Notice RequirementsAdditional Notice Requirements
www.noscamnc.gov
Security Breach =Security Breach =
Unauthorized access and acquisitionUnauthorized access and acquisition Unencrypted or unredacted Unencrypted or unredacted
records/datarecords/data Encrypted data only constitutes a Encrypted data only constitutes a
breach if the confidential process or key breach if the confidential process or key is also acquiredis also acquired
Access by an employee in good faith Access by an employee in good faith is not a breach as long as the info is is not a breach as long as the info is used for a legitimate purpose and used for a legitimate purpose and not further disclosednot further disclosed
www.noscamnc.gov
Provided information for you to be able to Provided information for you to be able to keep your company or organization in keep your company or organization in compliance with the Actcompliance with the Act
Informed you of the Act so you can share Informed you of the Act so you can share the information withthe information with your coworkersyour coworkers your friends and familyyour friends and family
and last but not leastand last but not least Provided you with a better understanding Provided you with a better understanding
of how to protect your own identityof how to protect your own identity
Things I Hope I Have DoneThings I Hope I Have Done